VMware Touts Virtualization For Datacenter Security

Hypervisor-based security would be like Goldilocks -- "not too hot, not too cold" -- when it comes to halting malware and intruders well inside the enterprise perimeter, say VMware leaders at Interop.

20 Great Ideas To Steal In 2014

(Click image for larger view and slideshow.)

Virtualization is not only the focus of server consolidation and flexible resource management, it's also a potential new hub of datacenter security.

Hypervisors contain virtual switches that collect both application and network traffic. From that vantage point, VMware's ESX hypervisor can watch application context and traffic, while staying away from the network edge where the application's attack surface provides the most exposure, said VMware CEO Pat Gelsinger in a keynote address Thursday at Interop Las Vegas, run by UBM Tech, InformationWeek's parent company.

Security spending is one of the fastest growing areas of the IT budget, but it's not keeping up with proliferating threats, Gelsinger said in VMware's first keynote address to the annual networking, application deployment, and datacenter management conference.

"We see this as the most critical time in IT in the past 30 years," Gelsinger said. The datacenter must operate more efficiently, in a more automated fashion, and in a more secure manner. As hardwired devices get reconfigured as virtualized resources, there's an opportunity to supply "a new security enforcement layer," Gelsinger said.

To help explain such an approach, he called on Martin Casado, VMware's CTO for networking and security, to help explain the new security concept. Casado told attendees he formerly worked on network security for US intelligence agencies (which he didn't name), and said he's happy to have a new weapon in his security arsenal -- virtualization's hypervisor.

Inside the hypervisor is the vSwitch, or ESX Server's software switch, that moves traffic to and from the virtual machines served by a host server. Additional security intelligence can be added to hypervisor operations to inspect the traffic, watch for malware, guard against anomalies in application behavior, and block intruders.

Casado said the hypervisors that manage virtualized compute, virtualized networking, and virtualized storage are in the datacenter's "Goldilocks zone" for security management. It's isolated from the activity at the edge of the network where it's "too hot," but not buried so deep in the infrastructure that it can't supervise activity affecting applications ("too cold").

Network managers "like to put an agent at the endpoint of the network," noted Casado, but that exposes it to the large attack surface of end-user activity and running applications. A rules engine deep in the infrastructure can apply policies that reflect the security standards of the organization, but it's too far from the activity of running systems to know for sure what the context is.

"We think the hypervisor is in an ideal position to provide both context and isolation" for a new layer of watching security and managing activity in applications and on the network. Virtual machines, with their software-defined limits on what RAM, resources, and types of network access they may use, are easier to police individually than applications running in more general-purpose environments, he said.

Likewise, the future software-defined datacenter will have the ability to capture mapped-out secure operations and definitions of disallowed behavior for each virtual machine and apply them through the hypervisor. It wasn't clear from Gelsinger's and Casado's brief presentation what activities might still lie outside the surveillance of such a system or where new vulnerabilities might be inadvertently created. Nor was there any roadmap for when the new security enforcement layer might materialize in VMware's vSphere product line.

But Gelsinger was clearly trying to move the discussion of the software-defined datacenter forward by adding a new security function and financial incentive for adopting it. If software-defined also means more secure, then VMware will have an additional argument for the vision it's been trying to articulate the past two years.

In a separate session at Interop, Casado spoke about the future of network virtualization, a subject on which he's been a leader since he authored the OpenFlow protocol and founded Nicira, eventually acquired by VMware for $1.2 billion.

The network can be virtualized under VMware's NSX platform, he said, and such a network can be reduced in physical complexity. It would provide simple network functions as a physical entity, point-to-point connectivity, and packet replication. The more sophisticated features of networks no longer need to be embedded in the hardware. Instead, capacity planning, security policy assignment, and speed of throughput can be applied to the equipment as software decisions from a central controller.

The controller would run network-management applications that apply the rules that the network owner has decided are appropriate. Switches and routers might be reconfigured based on the nature of the applications currently running and their traffic loads. Instead of the perimeter of the network being the ultimate point of defense, defenses might be placed at several key junctures around the hypervisor and in the hypervisor, until each type of threat was detected and blunted.

Gelsinger ended his keynote address with a kind of warning: "Network virtualization is an unstoppable force in the datacenter," he predicted. Not he, his company, nor anyone else has the complete answer of how to implement virtualized networks with a new optimized, "ubiquitous" security layer. But he left little doubt that a lot of work is underway behind the scenes, both at VMware and at other software-defined network companies, to attack the problem in a new way.

Emerging standards for hybrid clouds and converged datacenters promise to break vendors' proprietary hold. Also in the Lose The Lock-In issue of InformationWeek: The future datacenter will come in a neat package. (Free registration required.)

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

Personally, I think it makes sense that as virtualization becomes more prevalent to leverage the virtual switches to act as traffic cops, much in the way a firewall would work. That being said, there is still a need for tools like IDS/IPS to inspect internal traffic that gets past the physical network. This is really the key issue with virtualization, the abstraction of hardware means that if traffic can get past the physical security tools, unless there are virtual network security policies in place, you really can't see what's going on internally. The trick is to have an internal traffic cop that can detect valid from unauthorized traffic and can then react accordingly. It makes total sense to build these from internal hypervisor functionality provided they have the right security policies to be able to understand what the traffic itself is.

This is a new vantage point from which to apply security. Do security experts agree that it's a good field position or would they say better to stop the threat at the perimeter? I think you can see and do more at the hypervisor. You can tell what bad intentions are up to at that point. It's too easy to dismiss this as VMware thinking up more work for the hypervisor.